Search...

eWire PHP脚本存在参数任意命令执行漏洞

2007-11-17T00:00:00

ID SSV:2456
Type seebug
Reporter Root
Modified 2007-11-17T00:00:00

Description

BUGTRAQ ID: 25683

eWire是在丹麦使用的电子支付系统。

eWire处理用户请求数据时存在输入验证漏洞，远程攻击者可能利用此漏洞控制服务器。

eWire中所使用的PHP脚本ewirepcfunctions.php在调用命令行可执行程序时没有过滤URL中的paymentinfo参数：

$strEncryptedPaymentInfo = $_GET["paymentinfo"];

ewirePC_Decrypt( $ewireMerchantID,
$ewireServerURL,
$strEncryptedPaymentInfo )

ewirePC_Decrypt()是ewirepcfunctions.php中的一个函数，在ewirePC_Decrypt()中$strEncryptedPaymentInfo参数变成了$strPaymentInfo：

$strCommandLine = "decrypt \"$strMerchantID\" \"$strServerUrl\" \"$strPaymentInfo\""; $handle = popen($ewirePaymentClientFileName . " " . $strCommandLine, "r");

最终$strPaymentInfo参数没有经过检查便出现在了命令行，导致执行任意shell命令。

eWire Payment Client 1.70 eWire Payment Client 1.60 eWire

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

<a href="http://www.ewire.dk/page.asp?keyword=forsidedk&language=da" target="_blank">http://www.ewire.dk/page.asp?keyword=forsidedk&language=da</a>

JSON Vulners Source

Initial Source

{"sourceData": "", "status": "details", "description": "BUGTRAQ ID: 25683 \r\n\r\neWire\u662f\u5728\u4e39\u9ea6\u4f7f\u7528\u7684\u7535\u5b50\u652f\u4ed8\u7cfb\u7edf\u3002 \r\n\r\neWire\u5904\u7406\u7528\u6237\u8bf7\u6c42\u6570\u636e\u65f6\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u670d\u52a1\u5668\u3002 \r\n\r\neWire\u4e2d\u6240\u4f7f\u7528\u7684PHP\u811a\u672cewirepcfunctions.php\u5728\u8c03\u7528\u547d\u4ee4\u884c\u53ef\u6267\u884c\u7a0b\u5e8f\u65f6\u6ca1\u6709\u8fc7\u6ee4URL\u4e2d\u7684paymentinfo\u53c2\u6570\uff1a \r\n\r\n\r\n$strEncryptedPaymentInfo = $_GET["paymentinfo"]; \r\n\r\newirePC_Decrypt( \r\n$ewireMerchantID, \r\n$ewireServerURL, \r\n$strEncryptedPaymentInfo \r\n)\r\n \r\n\r\newirePC_Decrypt()\u662fewirepcfunctions.php\u4e2d\u7684\u4e00\u4e2a\u51fd\u6570\uff0c\u5728ewirePC_Decrypt()\u4e2d$strEncryptedPaymentInfo\u53c2\u6570\u53d8\u6210\u4e86$strPaymentInfo\uff1a \r\n\r\n\r\n$strCommandLine = "decrypt \\"$strMerchantID\\" \\"$strServerUrl\\" \r\n\\"$strPaymentInfo\\""; \r\n$handle = popen($ewirePaymentClientFileName . " " . \r\n$strCommandLine, "r");\r\n \r\n\r\n\u6700\u7ec8$strPaymentInfo\u53c2\u6570\u6ca1\u6709\u7ecf\u8fc7\u68c0\u67e5\u4fbf\u51fa\u73b0\u5728\u4e86\u547d\u4ee4\u884c\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610fshell\u547d\u4ee4\u3002\r\n\n\neWire Payment Client 1.70 \r\neWire Payment Client 1.60 \n eWire \r\n\r\n----- \r\n\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a \r\n\r\n<a href=\"http://www.ewire.dk/page.asp?keyword=forsidedk&language=da\" target=\"_blank\">http://www.ewire.dk/page.asp?keyword=forsidedk&language=da</a>", "sourceHref": "", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-2456", "type": "seebug", "viewCount": 5, "references": [], "lastseen": "2017-11-19T21:55:15", "published": "2007-11-17T00:00:00", "cvelist": [], "id": "SSV:2456", "enchantments_done": [], "modified": "2007-11-17T00:00:00", "title": "eWire PHP\u811a\u672c\u5b58\u5728\u53c2\u6570\u4efb\u610f\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2017-11-19T21:55:15", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T21:55:15", "rev": 2}, "vulnersScore": 0.7}}